The present invention relates generally to data packet security within a local area network and more specifically to an improved secure computer network having selectable packet disrupt within a network that uses multiport secure repeaters.
Networks of computers are commonly used in today's business environment. One common network system structure uses one or more repeaters. The repeater typically includes several ports. A particular data packet received at one port is retransmitted to the other ports of the repeater. Each repeater restores timing and amplitude degradation of data packets received on one port and retransmits them to all other ports, and hence over the network. For networks employing a CSMA/CD-type of network, such as an Ethernet network, every data packet passes through every repeater. Network administrators are thereby able to conveniently use each repeater as a device on the network from which to gather information concerning the operation of the network.
In traditional Ethernet (802.3 10BASE5) and Cheapernet (802.3 10BASE2), a coaxial cable provides a linear bus to which all nodes of a local area network are connected. A standard promulgated by the IEEE (IEEE Standard 802.3) defines various functionality for computer networks. This standard is expressly incorporated by reference for all purposes. Signaling is accomplished using a current synch technique wherein a center conductor of the coaxial cable is used for a signal and a shield conductor of the coaxial cable is used for a reference voltage (typically ground). Twisted pair Ethernet (802.3 10BASE-T) uses a standard voice grade telephone cable rather than the coaxial cable. The telephone cable uses separate pairs of conductive wires for transmission and reception.
When using twisted pair Ethernet, the network configuration is a star topology. The star topology provides for several end stations or data terminal equipment (DTE) devices all coupled to a multi-port repeater located at a center of the star. The repeater performs signal amplitude and timing restoration. The repeater receives a bitstream at one of its ports and restores signal amplitude levels and timing requirements to all appropriate output ports. The repeater repeats the reshaped and retimed input bitstream to all of its other ports. In one sense, the repeater acts as a logical coaxial cable, permitting every node connected to the twisted pair network to receive each transmission from any other node, just as when a coaxial cable is used. The pairs of conductors use differential signaling, one pair for transmission and another pair for reception.
While a repeater is used in a traditionally wired coaxial Ethernet network as a mechanism to extend the physical distance limit of the network, in the IEEE 802.3 10BASE-T, the standard mandates the use of a repeater to provide connectivity between nodes whenever more than two nodes are present. Although physical signaling on the cabling differs between the traditional Ethernet-type of repeater and the twisted pair-type of repeater, the functionality of the repeaters are identical, as is the frame or packet format that is used to pass messages between the participating nodes on the network.
The packet commences with a preamble sequence which is an alternating ("1" and "0") pattern. The preamble sequence provides a single frequency on the network, in this case five MegaHertz (MHz) at the start of each frame, allowing a receiver to acquire and lock onto the associated bitstream. The preamble sequence is followed by a start of frame identifier that immediately precedes the data portion of the transmission. Either a start of frame delimiter (802.3) or synch sequence (Ethernet) delineates the start of the data portion of the message. Following the start of frame identifier are two address fields: a destination address (DA) and a source address (SA). These addresses are both forty-eight bit values and are transmitted least significant bit (LSB) first.
A media access controller (MAC) associated with each DTE uses the destination address to determine whether an incoming packet is addressed to the node it is associated with. When a receiving node detects a match between its own node address and an address transmitted in the destination address field, it attempts to receive the packet. Nodes having a MAC that does not detect a matching address typically ignore a remainder of the packet.
There are three types of destination addressing supported by the 802.3 standards:
1. Individual. The DA field contains an individual and unique address assigned to a single node on the network.
2. Multicast. When the first bit (LSB) of the DA is set, the remainder of the DA includes a group address. The group of nodes that are actually addressed is determined by a higher layer function. In general, use of a group address is designed to transmit a message to a logically similar subset of nodes on the network.
3. Broadcast. The broadcast is a special form of multicast address wherein the DA field is set to all "1's." This address is reserved, and all nodes on the network must be capable of receiving a broadcast message.
The MAC that transmits a data packet writes its own address into the SA field. This allows the transmitting MAC to identify those packets which it originates. The 802.3 standards do not require that a receiving MAC take any action based upon the SA field. In some applications, such as management, security or configuration, the SA field may be tracked and monitored.
A two-byte length/type field follows the SA field. The choice of length or type is dependent upon whether the frame is compatible with the IEEE 802.3 or the Ethernet standard. The higher order byte of the length/type field is transmitted first, with the LSB of each byte transmitted first.
A data field contains actual packet data that is transferred between end stations and is between forty-six to fifteen hundred bytes in length. A logical link control (LLC) function is responsible for fragmenting data into block sizes suitable for transmission over the network. Data bytes are transmitted sequentially with the LSB of each byte transmitted first.
A frame check sequence (FCS) is a four-byte field that contains a cyclic redundancy check (CRC) for the entire frame. The transmitting station computes the CRC throughout the DA, the SA, the length/type field, and data field. The transmitting station appends the FCS as the last four bytes of the frame. A receiving station uses the same CRC algorithm to compute the CRC for a received frame. The receiving station compares the CRC value it computes with the CRC value in the transmitted FCS. A mismatch indicates an error, such as a corrupted data frame. CRC bits of the FCS are transmitted in order: most significant bit (MSB) to LSB.
FIG. 1 and FIG. 2 are diagrams illustrating frame formats for an IEEE 802.3 Standard compliant packet and an Ethernet packet, respectively. Comparing the packet formats illustrates that a primary difference between the packet types is that the start of frame delimiter (SFD) for 802.3 is defined as a byte that has a "1 0 1 0 1 0 1 1" pattern whereas the start frame (synch) of Ethernet is a "11" sequence. Even so, in both cases, a total number of bits for the preamble plus the start of frame indication is sixty-four bits long.
The 802.3 and Ethernet standards both specify that a frame must be in the range of sixty-four to fifteen hundred eighteen bytes (excluding preamble/SFD). However, the actual data field in the 802.3 system is permitted to be smaller than the forty-six byte value that is necessary to ensure this minimum size. To handle a smaller size data field, the MAC of a transmitting station appends pad characters to the LLC data field before sending data over the network. The Ethernet standard assumes that an upper layer ensures that the minimum data field is forty-six bytes before passing data to the MAC, therefore the existence of appended pad characters in unknown to the MAC implementing an Ethernet format.
The 802.3 standard also uses a length field that indicates the number of data bytes that are in the data field only. Ethernet, on the other hand, uses a type field in the same two bytes to identify the message protocol type. Since valid Ethernet type fields are always assigned outside of the valid maximum 802.3 packet length size, both 802.3 and Ethernet packets can coexist on the same network. Hence, it has been found that it is important to be able to track and monitor the addresses for a variety of reasons. For example, for secure networks it may be important that authentication is required to ensure that the appropriate nodes on the network receive the information. In addition, as networks change in the number of nodes attached thereto, it becomes important to be able to associate an address with a particular port or the like within the network.
It is also important in secure networks to selectively prevent a node from receiving such address and/or data information unless the node requires the information. If a data packet is not destined for a particular node, the particular node generally does not have a need for information within the data packet.
Further, it is important to provide a mechanism to associate each port of a repeater with the actual addresses or identity of the device(s) connected to that port. Typically, unsecured repeaters are devices that are just used for signal amplitude and timing restoration. In all of the above-mentioned modes, the secure repeater must also be provided with the capability to detect and interpret the various fields within data packets that are transmitted on the network.
As described above, every data packet transmitted in the computer network includes a destination address to identify the recipient of the data packet. A secure repeater in a secure network may have one or more end stations attached to each port. Each end station has at least one unique address assigned, and possibly one or more multicast addresses. The secure repeater maintains a list of associated end stations for each output port. The security systems identified in the incorporated references use the destination address field from each data packet to route a data packet to only those output ports associated with the destination address. Output ports of the secure repeater associated with a destination address not matching the destination address receive a modified, or disrupted, data packet. In the preferred embodiment of the secure environment, it is common not to begin disruption until after the destination address field has been transmitted. In other words, every field following the destination address (from the source address on) is disrupted.
The disrupt mechanisms for enhancing computer network security are designed to scramble a data packet transmitted to those end-users that are not intended recipients of the data packet. Conceptually, it is relatively easy to implement data packet disruption since the address of end-user station(s) connected to the repeater can be learned (e.g., the repeater can read and store the source address extracted from data packets received from the end-user station), and thereafter a comparison of a destination address from a received packet and the learned addresses controls distribution and disruption of the data packets to the various end-user stations.
Actually implementing such a security system is more difficult due to a number of known difficulties. A first difficulty is that the repeater needs enough storage locations, per port, as there are likely to be end-stations connected via that port. For ports of the repeater that are connected to another repeater, or to a multi-drop segment (such as coax), then potentially many addresses are associated with a port and need to be stored. Actual topology of the network is unknown to the repeater, thus the number of storage locations is multiplied by the number of ports.
A second difficulty is that multicast packets that a repeater receives must be propagated to all members of the group. Sometimes a group is divided across multiple repeaters. An inter-repeater link, the connection between a port of two repeaters, should pass the multicast packet on to the group members on other repeaters. To avoid passing multicast packets that should not be forwarded, such as where no members of the group are coupled to the inter-repeater link, the port associated with the inter-repeater link should be capable of storing all multicast addresses that exist on the other repeater.
A third difficulty is that some addresses, either individual or multicast, will be known to a secure repeater, and some will not be known. Packets having unknown addresses should be transmitted across inter-repeater links since the end station associated with the unknown address may exist on the other repeater, or on still another repeater connected to the other repeater, or somewhere else in the network. However, the first two problems typically require excessive memory requirements for a repeater, especially should addresses connected to inter-repeater links be desired to be stored. Because not all addresses can be stored, inter-repeater links are typically unsecured, and forward all data packets undisrupted. This solution defeats the security features and is therefore undesirable.
Some of the incorporated patents and patent applications address specific features for implementing one or more aspects of controlling data packet disruption. The solutions disclosed in the various patent applications describe preferred embodiments for the various specific problems. When combining these features into a single integrated repeater having generalized, selectable disrupt features that are controllable on a per-port basis, implementation can become complex. This is especially true of integrated repeaters implementing an embodiment of the invention described in the incorporated patent addressing use of an expansion bus to permit multiple integrated repeaters to interoperate as a single repeater with an increased number of ports. Adding the security features of the present invention complicates combination of several integrated multiport repeaters into a single logical repeater.